- **status**: code-review --> closed - **QA**: Dave Brondsema - **Comment**:
Looks good. I notice some EmailAddress lookup that will probably have to change when we do [#7527] --- ** [tickets:#7543] Password recovery should not confirm email addr existance** **Status:** closed **Milestone:** forge-jul-25 **Labels:** security **Created:** Mon Jul 07, 2014 04:23 PM UTC by Dave Brondsema **Last Updated:** Mon Jul 14, 2014 07:18 PM UTC **Owner:** Alexander Luberg The forgotten password recovery form says "Unable to recover password for this email" if you enter an email that is not in our database. This can be used to determine if an email address is in the system or not. Instead, we should always have a generic success message like "A password reset email has been sent, if the given email address is on record in our system." --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
